SlideShare uma empresa Scribd logo

What the auditor need to know about cloud computing

Moshe Ferber
Moshe Ferber

As more and more workloads moving to the cloud , more practices need to be developed. ISACA and CSA launched the CCAK certification for auditors, in this presentation I will elaborate on highlight of auditor knowledge in Cloud.

Tecnologia
1 de 31
Cloud Security For auditors Moshe Ferber, CCSK, CCSP, CCAK Onlinecloudsec.com When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
#About  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – lean about security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
So, what is cloud computing?
Actually, cloud does have a definition…
Cloud characteristics: • Cloud computing characteristics distinguish cloud from other forms of compute (i.e. hosting, outsourcing , static virtualization) • Mostly relevant for certain regulations
‫מזה‬ ‫זה‬ ‫שונים‬ ‫מאוד‬ ‫הענן‬ ‫שירותי‬ .... SaaS PaaS IaaS Private Hybrid Public
The Share responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
The CISO Challenge SaaS PaaS IaaS Gain the expertise for building secure applications Evaluate providers correctly Very hard to provide best practices
Governance tools Cloud policy Cloud audit Contract
Cloud security Policy
Building a cloud strategy: relevant steps Guidelines for which data/app can migrate Threats & Risks to consider Identifying key Stakeholders Evaluating the provider maturity and security controls. Additional controls that should be implemented in the service.
Cloud Policy: Balancing the requirements Laws (i.e. Privacy laws) Regulations (sector specific) Standards (PCI, ISO) Contracts
Data classification is mandatory Data that can be migrated Data that can not be migrated Data that can only migrate to certain providers Data that can only migrated to certain jurisdiction Data that can only migrated if encrypted / anonymized UK gov data classification: • Official • Secret • Top secret Official is allowed at public cloud
Dealing with risk and threats
Identifying key stakeholders Internal stakeholder • IT department • Business owners • R&D department • Legal Department • GRC Department • Procurement department External Stakeholder • Integration & Implementation partners • Brokers • Software development companies • Auditors • Security consultant Often internal stakeholder will form sort of Cloud Computing Center of Excellence
Stakeholder responsibilities •Monitor Shadow IT •Authorized providers list •Budget management - IaaS/PaaS •SaaS license management Procurement •Building cloud architecture •Integrating new tools •Vision and roadmap Architecture •Guidelines for compliance program •Provider screening process •Specific controls GRC/CRO •Automation •Monitoring •Security (secdevops) Operations/devops
Specific controls examples Cloud migration committee Mandatory provider certifications MFA usage Data encryption at rest Security assessments
Evaluating providers (cloud assessments)
Hi diversity in the market (specially in SaaS) • Could you do an audit? • Should you do an audit? In many cases you must settle for 3rd party attestation. Cloud provider A Cloud provider B
Provider evaluation Is the service adequate? How mature is the provider? Are the provider responsibilities clear? Are customer responsibilities clear? Are there gaps?
Provider evaluation – what do I really looking for? Trust Accountability Is the provider accountable for his responsibilities? Transparency Is the information I am receiving accurate and actionable? Assurance Wil the provider perform as planned?
Provider evaluation (mostly on SaaS) Reviewing security policy Evaluating the provider Evaluating the service Evaluating the supply chain Analyzing gaps Setting special requirements Contract signing Ongoing monitoring
Tools for provider evaluation https://cloudsecurityalliance.org/star/registry/
SaaS services – security foundation Encryption • Encrypting data at the cloud provider (who has the keys)? Identity Management • Who control the user store? • Who is responsible for authentication? Governance & Audit • Who does what? • Suspicious events detection
IaaS/PaaS – performing security testing Security assessment • Usually assessing the cloud infrastructure • Require knowledge in the cloud platform • Usually made against a checklist • Evaluating the security posture of the environment Penetration testing • Usually cover the application layer • Mostly black box • Require coordination with the provider • Assessing the application resilience
Assessing with a security framework Security framework (non cloud specific) • ISO27001 • SOC 2/3 • COBIT • EU-Sec Security framework (cloud specific) • ISO27017 / 27018 (Cloud Security & privacy) • CSA STAR • BSI C5 • NIST 800-53 • PCI DSS cloud guidelines • CIS benchmark Considuration: Cloud Native vs. Migrated to the cloud
Contract management Usually made from 3 parts: • Agreement • SLA • ToS Usually not negotiable Must address the shared responsibility model Must address sub- processors Cloud specific • Location of services • Conflict resolution • Breach notification Must address end-of- service and migration
Privacy considerations Data privacy laws are turning the world into privacy islands Important topics: • Data residency • Processor vs. controller roles • Data subject's rights • Breach notifications Check put the CSA Privacy Level Agreement: https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/
Summary  The word cloud describes many different types of services, with different security considerations.  Pick your battles – • Large mature IaaS/PaaS providers – focus on customer maturity • SaaS services – Choose your partners wisely • Practical cloud policy is the place to begin, everything else will follow Cloud Security Course Schedule can be found at: ty Course http://www.onlinecloudsec.com/course-schedule
KEEP IN TOUCH Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
Questions?

Recomendados

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 

Recomendados

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Data Observability.pptx
Data Observability.pptxData Observability.pptx
Data Observability.pptx
SonaSamad1
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
uthayakumar174828
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Limitless xdr meetup
Limitless xdr meetupLimitless xdr meetup
Limitless xdr meetup
Daliya Spasova
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
Srishti Ahuja
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
John Macasio
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
Amazon Web Services
 
Building a Data Lake on AWS
Building a Data Lake on AWSBuilding a Data Lake on AWS
Building a Data Lake on AWS
Gary Stafford
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 

Mais conteúdo relacionado

Mais procurados

Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

Mais procurados (20)

Data Observability.pptx
Data Observability.pptxData Observability.pptx
Data Observability.pptx
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Limitless xdr meetup
Limitless xdr meetupLimitless xdr meetup
Limitless xdr meetup
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
Building a Data Lake on AWS
Building a Data Lake on AWSBuilding a Data Lake on AWS
Building a Data Lake on AWS
 

Semelhante a What the auditor need to know about cloud computing

Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
Anne Starr
 
Cloud Security Training Crash Course
Cloud Security Training Crash CourseCloud Security Training Crash Course
Cloud Security Training Crash Course
Bryan Len
 
Cloudhnologysstecociat
CloudhnologysstecociatCloudhnologysstecociat
Cloudhnologysstecociat
Anne Starr
 

Semelhante a What the auditor need to know about cloud computing (20)

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Cloud Security Training Crash Course
Cloud Security Training Crash CourseCloud Security Training Crash Course
Cloud Security Training Crash Course
 
Cloudhnologysstecociat
CloudhnologysstecociatCloudhnologysstecociat
Cloudhnologysstecociat
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 

Mais de Moshe Ferber

Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Moshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 

Mais de Moshe Ferber (11)

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsCloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threats
 
Understanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptxUnderstanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptx
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscape
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

What the auditor need to know about cloud computing

  • 1. Cloud Security For auditors Moshe Ferber, CCSK, CCSP, CCAK Onlinecloudsec.com When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
  • 2. #About  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – lean about security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
  • 3. So, what is cloud computing?
  • 4. Actually, cloud does have a definition…
  • 5. Cloud characteristics: • Cloud computing characteristics distinguish cloud from other forms of compute (i.e. hosting, outsourcing , static virtualization) • Mostly relevant for certain regulations
  • 6. ‫מזה‬ ‫זה‬ ‫שונים‬ ‫מאוד‬ ‫הענן‬ ‫שירותי‬ .... SaaS PaaS IaaS Private Hybrid Public
  • 7. The Share responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
  • 8. The CISO Challenge SaaS PaaS IaaS Gain the expertise for building secure applications Evaluate providers correctly Very hard to provide best practices
  • 11. Building a cloud strategy: relevant steps Guidelines for which data/app can migrate Threats & Risks to consider Identifying key Stakeholders Evaluating the provider maturity and security controls. Additional controls that should be implemented in the service.
  • 12. Cloud Policy: Balancing the requirements Laws (i.e. Privacy laws) Regulations (sector specific) Standards (PCI, ISO) Contracts
  • 13. Data classification is mandatory Data that can be migrated Data that can not be migrated Data that can only migrate to certain providers Data that can only migrated to certain jurisdiction Data that can only migrated if encrypted / anonymized UK gov data classification: • Official • Secret • Top secret Official is allowed at public cloud
  • 14. Dealing with risk and threats
  • 15. Identifying key stakeholders Internal stakeholder • IT department • Business owners • R&D department • Legal Department • GRC Department • Procurement department External Stakeholder • Integration & Implementation partners • Brokers • Software development companies • Auditors • Security consultant Often internal stakeholder will form sort of Cloud Computing Center of Excellence
  • 16. Stakeholder responsibilities •Monitor Shadow IT •Authorized providers list •Budget management - IaaS/PaaS •SaaS license management Procurement •Building cloud architecture •Integrating new tools •Vision and roadmap Architecture •Guidelines for compliance program •Provider screening process •Specific controls GRC/CRO •Automation •Monitoring •Security (secdevops) Operations/devops
  • 19. Hi diversity in the market (specially in SaaS) • Could you do an audit? • Should you do an audit? In many cases you must settle for 3rd party attestation. Cloud provider A Cloud provider B
  • 20. Provider evaluation Is the service adequate? How mature is the provider? Are the provider responsibilities clear? Are customer responsibilities clear? Are there gaps?
  • 21. Provider evaluation – what do I really looking for? Trust Accountability Is the provider accountable for his responsibilities? Transparency Is the information I am receiving accurate and actionable? Assurance Wil the provider perform as planned?
  • 22. Provider evaluation (mostly on SaaS) Reviewing security policy Evaluating the provider Evaluating the service Evaluating the supply chain Analyzing gaps Setting special requirements Contract signing Ongoing monitoring
  • 23. Tools for provider evaluation https://cloudsecurityalliance.org/star/registry/
  • 24. SaaS services – security foundation Encryption • Encrypting data at the cloud provider (who has the keys)? Identity Management • Who control the user store? • Who is responsible for authentication? Governance & Audit • Who does what? • Suspicious events detection
  • 25. IaaS/PaaS – performing security testing Security assessment • Usually assessing the cloud infrastructure • Require knowledge in the cloud platform • Usually made against a checklist • Evaluating the security posture of the environment Penetration testing • Usually cover the application layer • Mostly black box • Require coordination with the provider • Assessing the application resilience
  • 26. Assessing with a security framework Security framework (non cloud specific) • ISO27001 • SOC 2/3 • COBIT • EU-Sec Security framework (cloud specific) • ISO27017 / 27018 (Cloud Security & privacy) • CSA STAR • BSI C5 • NIST 800-53 • PCI DSS cloud guidelines • CIS benchmark Considuration: Cloud Native vs. Migrated to the cloud
  • 27. Contract management Usually made from 3 parts: • Agreement • SLA • ToS Usually not negotiable Must address the shared responsibility model Must address sub- processors Cloud specific • Location of services • Conflict resolution • Breach notification Must address end-of- service and migration
  • 28. Privacy considerations Data privacy laws are turning the world into privacy islands Important topics: • Data residency • Processor vs. controller roles • Data subject's rights • Breach notifications Check put the CSA Privacy Level Agreement: https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/
  • 29. Summary  The word cloud describes many different types of services, with different security considerations.  Pick your battles – • Large mature IaaS/PaaS providers – focus on customer maturity • SaaS services – Choose your partners wisely • Practical cloud policy is the place to begin, everything else will follow Cloud Security Course Schedule can be found at: ty Course http://www.onlinecloudsec.com/course-schedule
  • 30. KEEP IN TOUCH Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule